An online pharmacy part-owned by clinical software supplier Emis has come under fire for selling the data of some customers to a marketing firm.

An investigation by the Daily Mail claims that Pharmacy2U gave personal details to direct marketing agency Alchemy Direct Media, whose clients include health charities and pharmaceutical companies.

According to the Mail, names and addresses of people who requested online consultations through the site, and who used Pharmacy 2U “to place their GP prescriptions and have them delivered to their home address”, were passed on.

Pharmacy 2U says on its website that it has “provided a convenient NHS mail-order repeat prescription service for more than a decade.”

Patients can also “nominate” the pharmacy as part of the Electronic Prescription Service Release 2 which is finally rolling out across the country, and which is destined to become the centre-piece of a new “click and collect” or “click and deliver” service in the future.

However, the Mail claims the terms and conditions for online prescriptions do not cover information being passed to third parties, which is “only stated in the small print of the website’s privacy policy.”

In a statement to EHI News, Pharmacy2U said the allegations related to a two-month trial project at the end of last year that involved the sale of customers’ names and postal addresses for use in selected marketing activity.

“Data was only shared where there was patient consent,” said the company. “No medical information, emails or telephone numbers were sold. In conducting this trial project, we acted in line with current data protection and ICO [Information Commissioner’s Office] guidelines.”

Despite these assurances Pharmacy2U said it will no longer share customer data for use in third party marketing and that all data that was held by Alchemy has been destroyed.

Pharmacy 2U is a registered pharmacy of the General Pharmaceutical Council – the independent regulator for pharmacists in the UK.

In a statement to EHI News the GPhC said that it was “aware of concerns in relation to possible breaches of patient confidentiality by Pharmacy2U” and was looking into whether the company had breached its standards and principles related to patient confidentiality.

If the case then goes to the GPhC’s fitness to practise committee and a decision is made that Pharmacy 2U’s fitness to practise is impaired it could face several reprimands, including a recorded warning or removal from the GPhC’s register of pharmacies.

The Information Commissioner’s Officer, the independent body to oversee information rights, is also working to see if there have been any breaches of the Data Protection Act or Privacy and Electronic Communications Regulations as part of an investigation into a number of data selling allegations published by the Mail.

The organisation’s head of enforcement, Steve Eckersley said: “To think such [health] information could be in the hands of unscrupulous businesses looking to profit from it sends a shiver down the spine.”

Responding to a request from EHI News, Emis, which has a 20% stake in Pharmacy 2U, said it was “not aware” that the company was passing information on to Alchemy but was “reassured” after carrying out an internal investigation.

“Once a more detailed investigation has taken place we will be urgently encouraging the company to create and act on a “lessons learned” report and we will then consider what, if any, further action we need to take,” said a spokesperson for the company. 

Paul Cundy, joint chairman of the British Medical Association and Royal College of GPs' joint IT committee, told EHI News he was appalled by the allegations.

“If this is true, it’s an astonishing breach of confidentiality. This just confirms the anxieties we’ve all got about distributed data: the more that data gets distributed, the easier it is to abuse.”

Phil Booth, founder of healthcare data campaign organisation medConfidential raised concerns that Pharmacy 2U may have distributed confidential medical data by means of contextual information.

He said that, although Pharmacy 2U may have just passed on people’s names and postal address, these details were part of subsets of the entire database that must have been created based on a query, such as all patients that had taken a certain drug.

Booth also suggested that there need to be a wider look at the activity of all online pharmacies that pool patient data and that there should be a blanket ban on direct marketing based on medical information.